Whilst Cloud technologies are commendable for providing equal access to data for all participants of an organization, it is expected that any data technology solution that a customer may acquire would improve and increase compliance with regulations and not reduce it or introduce any additional operational risks. When a customer puts data upto the Cloud and the data now resides on the Internet, this business activity could not be assumed to release the customer of any requirements to comply with local laws, that is the laws of the jurisdiction where the Company is established. The Company is still required to follow required Corporate Acts including such that require adequate and appropriate storage of Company records, especially for Publicly Listed Companies, and Companies where public funds are utilised or assurances gained from the Reserve Banking system of the jurisdiction. This is really a basis for most Corporate Laws in established free market jurisdictions, including Asia, EU and United States, the thesis being, that if Company data is stored in a different jurisdiction, it could not possibly be expected to comply at times of Audit or litigations when vital evidence and Log files, could not be authenticated as being sourced from a jurisdiction outside that of its Local Court System, and without any assurance that it has not possibly been tampered with! The element of competing jurisdictions amongst free market participants, cause this eventuation where an absolute trust on data from a jurisdiction that would be better-off if the competitor did not exist, prevails, especially in the Courts of Laws, where sometimes even a Free Trade Agreement may not even be enough.
However, the chase to gain the highest performance and latest technology may seem to be confusing sometimes, especially for entities who are not themselves engineers or have limited understanding of Cloud technologies. Indeed, any Company can sign up for Cloud Technologies and there is no need for a data engineering evaluation or any checks for the Customer with regards to Data Laws that are applied prior to the Company availing such services.
For example, let us consider a jurisdiction A, where the network bandwidth is 1MBps. A Company in this jurisdiction chooses to use Cloud and selects the nearest locale. This locale being near the jurisdiction A, would provide a network bandwidth similar to A's, being 1MBps [1][4]. However, whilst signing up, the Company in jurisdiction A, would have to agree to the OCI SLAs applicable to provide Cloud Service[3]. This includes a Promise by Oracle to provide a certain bandwidth Speed for storing and retrieving data from Cloud. This raises a high risk situation where the Customer expects compliance by not sending data to a jurisdiction outside its own, but when signing up for a Cloud Service would seem to concede a liability to not comply whilst asking for and agreeing to network performance SLAs for Oracle.
So, in India where the bandwidth maybe 2MBps and Australia where Bandwidth maybe 2.5 MBps, the requirements of FastConnect [2] and Inter-Regional data architecture, with minimum Port Speed of 1Gbps, data transfer may determine that the networks are not in a Healthy locale. To ensure compliance with Network SLAs, Oracle should even shift operations to the Healthy Network locale, without which OCI would not be able to provide it's Service as per the Promise in SLA, including deciding storing data on the Healthy Network. Further, even if there is a FastConnect connection between the client network and the Oracle Cloud Server on local jurisdiction but if the rest of the network on the local Cloud locale is not equally connected to fast network connection, the customer would loose assurance of localised data storage due to the connected network becoming un-Healthy. In this case, the Company has made all efforts, but is forced to relocate data to a foreign jurisdiction due to a reason that is beyond control of the Company.
However, such an implicit transfer of data from a local jurisdiction to a foreign location would loose Compliance for the Customer due to Data Localisation laws. A case of recklessness maybe introduced to the Company by its Customers, who may find that their personal data is shifted to a foreign jurisdiction and that they have lost assurance of any mis-use of such data.
This indeed becomes a Cybersecurity issue for the client when corporate data is thereby inadvertently moved to an unexpected location without full knowledge and visibility of the customer. Although there are settings available for OCI to choose locale and backup location, but certain power to act with regards to applicable SLAs only reside within the internal algorithm of choosing high performance locales for latest network technology requirements, where the Company would become an acceptor rather than selector especially when sitting on an un-Healthy network. So realistically, a Company in India or Australia could not expect that their data would be resident in the local jurisdiction always, when the probability of determining an un-Healthy network for such Bandwidth is higher than not as per the Promise of SLAs for OCI.
Care should be taken and all testing to be performed extensively with Oracle OCI team to check for such conditions that whilst OCI meets SLAs, the Company does not loose compliance with Data Privacy, Data Localisation and all standard Corporate Laws. Companies operating from jurisdictions with generally slower networks should always undertake such further requirements testing to prevent any risks of violating Corporate Laws or even becoming exposed to latest Cyberattacks, loosing important financial and customer data.
REFERENCES:
[1] Well-architected framework for Oracle Cloud Infrastructure
https://docs.oracle.com/en/solutions/oci-best-practices/tune-and-monitor-network.html#GUID-E218A2A1-6931-43DC-B271-A759C1DCCF17
[Section : Choose a Region Location Based On Networking Requirements]
[2] FastConnect
https://www.oracle.com/in/cloud/networking/fastconnect/
[Port speeds of 1 Gb/sec, 10 Gb/sec, 100 Gb/sec, or 400 Gb/sec are available.]
[3] Oracle Cloud Infrastructure Service Level Agreement (SLA)
https://www.oracle.com/in/cloud/sla/
[Availability Manageability Performance]
[4] Inter-Region Latency
https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/inter_region_latency.htm
[5] High Performance Computing (HPC)
https://www.oracle.com/cloud/hpc/